- The basic XSS payload.
- For use where a URL is taken as input.
- This bypasses a poorly designed blacklist system with the HTML5 autofocus attribute.
- Another basic payload for when <script> tags are explicitly filtered.
- HTML5 payload that only works in Firefox, Chrome, and Opera.
- HTML5 payload that only works in Firefox, Chrome, and Opera.
- Used for the exploitation of web applications with Content Security Policies containing script-src but have unsafe-inline enabled.
- An example payload for sites that include JQuery.
- HTML injection using onmouseover and exfil of base64(document.cookie + '||' + document.URL).